Eclipse GlassFish is vulnerable to Reflected XSS attacks through its Administration Console

Description

In Eclipse GlassFish version 7.0.15, it is possible to perform Reflected Cross-Site Scripting attacks through the Administration Console.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2025-07-16 12:30:22 UTC
Updated
2025-07-18 15:17:20 UTC
GitHub reviewed
2025-07-18 15:17:19 UTC
NVD published
2025-07-16

EPSS Score

Score Percentile
0.04% 11.80%

CVSS Scores

Base score Version Severity Vector
4.5 4.0
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:H)
Exploitation depends on constrained or hard-to-reproduce conditions.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:H)
High privileges are required.
User interaction (UI:A)
User interaction is required in an active way.
Vulnerable system confidentiality impact (VC:L)
Limited confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:H)
High confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:H)
High integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.glassfish.main.admingui:console-common <= 7.0.25
maven org.glassfish.main.admingui:console-cluster-plugin <= 7.0.25

References

cvelogic Threat Intelligence